PK81387; 7.0.0.1: Possible application source file exposure

Downloadable files


Abstract

Application specific files are open to display and execution by an attacker.

Download Description

PK81387 resolves the following problem:

ERROR DESCRIPTION:

Application specific files are open to display and execution by an attacker.

LOCAL FIX:

PROBLEM SUMMARY

USERS AFFECTED:
IBM WebSphere Application Server versions 5.1, 6.0, 6.1 and 7.0 users.

PROBLEM DESCRIPTION:
Application specific files are open to display and execution by an attacker.

RECOMMENDATION:
None

WebSphere Application Server could allow a remote attacker to bypass security restrictions. Web-based applications, including Web services applications running on WebSphere Application Server, could disclose application specific files contained within the war file, including files under the web-inf and meta-inf directories. An attacker could exploit this vulnerability to view or execute files on the server contained within the war file. This vulnerability also affects the WebSphere administrative console when administrative security is disabled.


PROBLEM CONCLUSION:
The security exposure has been eliminated.

The fix for this APAR is currently targeted for inclusion in Fix Packs 6.0.2.35, 6.1.0.23, and 7.0.0.3.

Note: After applying this fix the WebContainer custom property "ExposeWEBINFonDispatch" must be set to "true" in order to enable a dispatched request (forward or include) to access a static file from the application WEB-INF directory.

Note: To silently un-install the fix using the update utility on version 6.1 and 7.0, it may be necessary to specify a different value for the backup.package compared to the maintenance.package value used to install the fix.

The following table shows the valid values for each fix applicable to versions 6.1 and 7.0:


Install maintenance package

Silent Uninstall backup.package

7.0.0-7.0.0.1-WS-WAS-IFPK81387.pak

7.0.0-WS-WAS-IFPK81387.pak

6.1.0.17-6.1.0.21-WS-WAS-IFPK81387.pak

6.1.0.17-WS-WAS-IFPK81387.pak

6.1.0.13-6.1.0.15-WS-WAS-IFPK81387.pak

6.1.0.13-WS-WAS-IFPK81387.pak

6.1.0.9-6.1.0.11-WS-WAS-IFPK81387.pak

6.1.0.9-WS-WAS-IFPK81387.pak

6.1.0.3-6.1.0.7-WS-WAS-IFPK81387.pak

6.1.0.3-WS-WAS-IFPK81387.pak

6.1.0.2-WS-WAS-IFPK81387.pak

6.1.0.2-WS-WAS-IFPK81387.pak

6.1.0-6.1.0.1-WS-WAS-IFPK81387.pak

6.1.0-WS-WAS-IFPK81387.pak

For example to silently un-install package 6.1.0.13-6.1.0.15-WS-WAS-IFPK81387.pak , the value for the backup.package option is 6.1.0.13-WS-WAS-IFPK81387.pak. As a result and example command to silently un-install this fix is:

update -W backup.package="6.1.0.13-WS-WAS-IFPK81387.pak" -W product.location="C:\A610\was" -W update.type="uninstall" -silent


Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000

Installation Instructions

Please review the readme.txt for detailed installation instructions.

URL LANGUAGE SIZE(Bytes)
Readme US English 14148

Download package


Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
What is Fix Central (FC)?
What is DD?
7.0.0-7.0.0.1-WS-WAS-IFPK81387 3/11/2009 US English 38310 FC FTP DD
6.1.0.17-6.1.0.21-WS-WAS-IFPK81387 3/11/2009 US English 45102 FC FTP DD
6.1.0.13-6.1.0.15-WS-WAS-IFPK81387 3/11/2009 US English 44913 FC FTP DD
6.1.0.9-6.1.0.11-WS-WAS-IFPK81387 3/11/2009 US English 44775 FC FTP DD
6.1.0.3-6.1.0.7-WS-WAS-IFPK81387 3/11/2009 US English 44783 FC FTP DD
6.1.0.2-WS-WAS-IFPK81387 3/11/2009 US English 44203 FC FTP DD
6.1.0-6.1.0.1-WS-WAS-IFPK81387 3/11/2009 US English 64393 FC FTP DD
6.0.2.29-6.0.2.33-WS-WAS-IFPK81387 3/11/2009 US English 37285 FC FTP DD
6.0.2.29-6.0.2.31-WS-WAS-i5OSPPC-IF 3/11/2009 US English 50720 FC FTP DD
6.0.2.23-6.0.2.27-WS-WAS-i5OSPPC-IF 3/11/2009 US English 50458 FC FTP DD
6.0.2.21-6.0.2.27-WS-WAS-IFPK81387 3/11/2009 US English 37168 FC FTP DD
6.0.2.15-6.0.2.19-WS-WAS-IFPK81387 3/11/2009 US English 37172 FC FTP DD
6.0.2.15-6.0.2.19-WS-WAS-i5OSPPC-IF 3/11/2009 US English 50451 FC FTP DD
6.0.2.13-WS-WAS-IFPK81387 3/11/2009 US English 36849 FC FTP DD
6.0.2.13-WS-WAS-i5OSPPC-IFPK81387 3/11/2009 US English 49861 FC FTP DD
6.0.2.11-WS-WAS-IFPK81387 3/11/2009 US English 57650 FC FTP DD
6.0.2.11-WS-WAS-i5OSPPC-IFPK81387 3/11/2009 US English 70662 FC FTP DD
6.0.2.7-6.0.2.9-WS-WAS-IFPK81387 3/11/2009 US English 57563 FC FTP DD
6.0.2.7-6.0.2.9-WS-WAS-i5OSPPC-IFPK 3/11/2009 US English 70575 FC FTP DD
6.0.2.0-6.0.2.5-WS-WAS-IFPK81387 3/11/2009 US English 57254 FC FTP DD
6.0.2.0-6.0.2.5-WS-WAS-i5OSPPC-IFPK 3/11/2009 US English 70259 FC FTP DD
5.1.1.19-PK81387Fix.jar 3/12/2009 US English 42373 FC FTP DD
5.1.1.15-5.1.1.18-PK81387_Fix.jar 6/15/2009 US English 43311 FC FTP DD
5.1.1.11-5.1.1.14-PK81387_Fix.jar 6/15/2009 US English 42202 FC FTP DD
5.1.1.9-5.1.1.10-PK81387_Fix.jar 6/15/2009 US English 46005 FC FTP DD
5.1.1.6-5.1.1.8-PK81387_Fix.jar 6/15/2009 US English 45847 FC FTP DD
5.1.1.5-PK81387_Fix.jar 6/15/2009 US English 44947 FC FTP DD
5.1.1.4-PK81387_Fix.jar 6/15/2009 US English 84989 FC FTP DD
5.1.1.3-PK81387_Fix.jar 6/15/2009 US English 40374 FC FTP DD
5.1.1.2-PK81387_Fix.jar 6/15/2009 US English 39924 FC FTP DD
5.1.1-PK81387_Fix.jar 6/15/2009 US English 39995 FC FTP DD
5.1.0.5-PK81387_Fix.jar 6/15/2009 US English 41096 FC FTP DD
5.1.0.1-5.1.0.4-PK81387_Fix.jar 6/15/2009 US English 41027 FC FTP DD
5.1.0-PK81387_Fix.jar 6/15/2009 US English 40982 FC FTP DD

Technical support

Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).

Problems (APARS) fixed
PK01801, PK02063, PK05760, PK22924, PK23475, PK23670, PK24815, PK32374, PK81387

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Application Server
Servlet Engine/Web Container

Software version:

5.1, 5.1.1, 6.0.2, 6.1, 7.0, 7.0.0.1

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows

Software edition:

Base, Express, Network Deployment

Reference #:

4022456

Modified date:

2009-03-12

Translate my page

Machine Translation

Content navigation